Create an event profile for the Proofpoint Integration for Security Operations
Create an event profile to identify the events you want to import from the Proofpoint product.
Before you begin
Role required: sn_si_admin
Procedure
- Navigate to All > SIR Integration with Proofpoint > Proofpoint Events Profile.
- Select New.
-
Fill in the fields.
The progress bar is displayed starting with Name.
Field Description Name Name for the event profile. You might select names that describe the following Event Types that are supported and included with the application: - Clicks Blocked
- Clicks Permitted
- Messages Blocked
- Messages Delivered
Source Select the source you configured for the integration on the Integration Configurations page. Order Order this profile is run. Default is 100. Active Select this check box to activate the profile. Description Text to help you identify this event profile. -
Select Continue.
The Proofpoint Event Selection step is displayed and the supported Event Types included with the application are displayed in the Available column:
- Clicks Blocked
- Clicks Permitted
- Messages Blocked
- Messages Delivered
- Choose one or more to move to the Selected column.
-
Select Continue.
The profile(s) you selected are displayed. For example, if you select a messages event, the Message Mapping configuration step is displayed in the progress bar. If you select a message profile and a clicks profile, both configuration steps are displayed in the progress bar.
The values for the Source Fields are provided on this page from the targeted attack protection (TAP) data in your environment as a reference.
The default mapping of the source fields data to the target fields is displayed on the right side of the page. Basic data is included as a guide, but you can modify this mapping.
-
Select the f(x) icon to view the default translations included with the application.
These translations accommodate multiple values for a field by inserting commas between the values.
- Select Continue.
-
In the Filtering and Aggregations page, configure the following:
Table 1. Filtering and Aggregation properties Option Description Filter based on conditions for Message Events Select to enable filtering based on message events. Message Events Filter Conditions Create the message event filter conditions. Filter based on conditions for Click Events Select to enable filtering based on click events. Click Events Filter Conditions Create the click event filter conditions. Aggregation Conditions Select to allow an incoming incident to be appended to an open security incident instead of creating a new one. Incident fields with matching values Add Security Incident Response fields. All field values that are selected must be matched for an incident to meet an aggregation criteria. Log work note for New Incident Select to enable work notes logging to the parent Security Incident Response. Enable ThreatID Relation Select to enable aggregation of all the incidents for which the ThreatID is same. -
Select Continue.
The Scheduling step is displayed.
-
Select one for the import type and how often you want to import event data.
Option Description Ongoing Events Ingestion Select this to import events on a regular interval. Provide a start date, the end date, and the polling interval in minutes. - Polling increment (minutes): Interval in minutes between imports
- Set Initial Events Ingestion Time
- Input initial Ingestion Time
One Time Retrieval Select this to import events only once on the basis of the date configured. All the events from the selected date are imported. Provide a start date for the event import (Since date).
-
Select Finish.
Lists the newly created event profile with the existing profiles.